Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

"SANS has the answers to real-life problems and can fill in the education gaps that on the job training causes." Carol Templeton, Univ. of Tennessee

SANS 2006 brochures have started arriving in mail boxes. More immersion training tracks than ever before. Plus many new short courses for people who already have mastered their areas of security. A big security tools exposition. And Orlando in February is great.

Senate panels have approved two privacy-related bills. The Senate Judiciary Committee has approved the Personal Data Privacy and Security Act, which would require organizations that keep personal data for more than 10,000 people to implement privacy and security programs. It also allows people to examine their information and correct errors. Companies that experience security breaches must inform those whose data were compromised if the company determines there is a significant risk of identity or data fraud; if the company determines there is no risk, it must submit its findings to the US Secret Service, which may then conduct its own investigation. If the bill becomes law, it would preempt state data privacy laws. The Senate Commerce Committee approved the SPY BLOCK Act, which would require that users be informed when programs pose a privacy threat and provide users with an easy way to uninstall spyware. It also makes it a crime to install software on computers without authorization. The SPY BLOCK Act now heads to the Senate floor. -http://www.eweek.com/print_article2/0,1217,a=165880,00.asp-http://itmanagement.earthweb.com/secu/print.php/3565646-http://www.computerworld.com/printthis/2005/0,4814,106350,00.html[Editor's Note (Schneier): It's long past time that the U.S. had the same sort of data privacy protection that is standard in the EU. However, one of the biggest abusers of data privacy these days seems to be the U.S. government. And they keep exempting new databases from what little privacy laws we new have. Will they be subject to the laws being contemplated? (Honan): The Personal Data Privacy and Security Act is a step in the right direction but ideally should apply to all organizations that keep personal data and not just those that keep personal data for more than 10,000 people. (Grefer): Federal legislation should set a _minimum_ standard, rather than pre-empting or annulling more stringent state legislation. Otherwise the work of a few well placed lobbyist all too often works to the detriment of the taxpaying consumers. ]

Survey: IT Execs Say Security Will Top IT Spending List in 2006 (21 November 2005)

A survey by Goldman Sachs & Co. of 100 IT executives found that security software and enterprise IT upgrades are expected to top their IT spending lists in 2006. Fifty two percent of those surveyed said they expected IT spending levels to be unchanged, while forty percent said they were considering reducing their IT budgets for 2006. -http://www.computerworld.com/printthis/2005/0,4814,106422,00.html[Editor's Note (Pescatore) The article continues an area of much confusion: compliant does *not* mean secure, and spending on compliance does *not* always mean increasing security. There has been no shortage of user account information being stolen from companies who had no problem passing their Sarbanes Oxley audits. Spending to get secure and then prove compliance is one thing. Justifying spending because of "compliance" is very different - and there is a lot of this going on. (Ranum): This may be skewed by the fact that a great deal of spending on lawyers and compliance auditing is being reported as a "security spending." ]***************************** Sponsored Link: *************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Spammer Sentenced to One Year in Prison (17 November 2005)

Peter Moshou, sometimes known as the "Timeshare Spammer", was sentenced to one year in federal prison and ordered to pay US$120,000 in restitution for sending millions of spam messages in 2004 and 2005. Mr. Moshou was convicted in June of violating the CAN-SPAM Act; he had been named in a lawsuit filed by EarthLink. EarthLink also said that it has won a US$15.4 million judgment against Craig Brockwell and BC Alliance Inc. in a suit that claimed Mr. Brockwell and his company sent hundreds of thousands of unsolicited email messages. -http://news.com.com/2102-7348_3-5959367.html?tag=st.util.print

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Proof-of-Concept Code Available for Unpatched IE Flaw (21 November 2005)

Google Fixes Flaws in Gmail and Google Base (21/18 November 2005)

Google has fixed a flaw in its Gmail service that could have allowed attackers to take control of users' accounts; exploit details have been released. Google maintains that the vulnerability could be exploited only if the attacker has possession of a user's authentication token, a string that appears in the address bar after the user logs in and that is protected by encryption. In a separate story, Google has fixed a cross-site scripting vulnerability in its new content hosting service, Google Base, that could have allowed attackers to steal cookies and other sensitive information from other users. The problem also allowed attackers to embed phony forms within Google base web pages. A beta version of Google Base was released on November 16, 2005. -http://www.computerworld.com/printthis/2005/0,4814,106431,00.html-http://www.computerworld.com/printthis/2005/0,4814,106361,00.html

ATTACKS & INTRUSIONS & DATA THEFT

Indiana University Business School Informs Students of Data Security Breach (18/17 November 2005)

Technicians at Indiana University discovered three malware programs on a Kelley School of Business instructor's computer during a routine scan earlier this month. The programs were believed to have been installed in August 2005 and last accessed in October 2005. The laptop computer contains personal information belonging to 5,278 students who took a certain Introduction to Business course between 2001 and 2005; all have been sent a letter informing them of the security breach. The dean of the business school said all computers at the school are being audited to ensure proper configuration to allow automatic anti-virus and system software updates. A web site has been set up to address student concerns. -http://www.fortwayne.com/mld/fortwayne/news/local/13202338.htm-http://www.idsnews.com/subsite/story.php?id=32635&adid=campus-http://www.kelley.iu.edu/security/X100Incident.cfm

Boeing Employee Data on Stolen Laptop (19/18 November 2005)

Boeing has acknowledged that a recently stolen laptop computer contained sensitive data belonging to more than 160,000 current and former employees. The laptop was stolen from an off-site location. Among the data on the computer are Social Security numbers, banking information and birth dates. Boeing is notifying everyone whose data were on the computer and will pay for enrollment in credit monitoring and fraud protection programs. Authorities have been notified as well. -http://www.eweek.com/article2/0,1759,1889139,00.asp?kc=EWRSS03129TX1K0000614-http://seattletimes.nwsource.com/cgi-bin/PrintStory.pl?document_id=2002633180&amp;zsection_id=2002119995&slug=boeing19&date=20051119[Editor's Note (Pescatore): Of course, the important question is: why was that data on a laptop? Having seen a number of HR applications, the most likely reason is that the standard HR application wouldn't give the user the reporting they wanted, so they downloaded the entire file to a PC to do spreadsheet reporting. This is a common reason why structured data shows up in so many unstructured places. (Hayler): With so many products available to protect mobile data, it is amazing that stories like these are so common. A simple encryption package would have kept the employees' data safe and therefore saved the company money. ]

STATISTICS, STUDIES & SURVEYS

Irish IT Security Awareness Campaign Survey Finds Few Informed About Spyware and Phishing (17 November 2005)

A survey conducted on behalf of Ireland's Make IT Secure Initiative found that 24 percent of those polled know what spyware is and just 13 percent feel they have a good understanding of what phishing is. However, 79 percent of home users and 75 percent of work users use anti-virus software. The public awareness campaign focuses on educating users about phishing, spyware, identity fraud and online child safety. -http://www.siliconrepublic.com/news/news.nv?storyid=single5699[Editor's Note (Ranum): A year ago, IT managers' attitude toward spyware was "What, me worry?" Now, spyware is going to (unfortunately) introduce the Windows computing world to the notion of trusted software distribution, transitive trust, and why a trusted computing base really is necessary. ]

MISCELLANEOUS

Botnets Get Lean to Avoid Detection (16 November 2005)

The average size of a botnet, a network of zombie PCs, has dropped from over 100,000 to 20,000 during the past two years. The change may be due to the fact that botnet operators have figured out that a smaller network makes them harder to detect and stop. Other explanations for the decrease in botnet size are the increasingly competitive environment for compromised PCs and the increased levels of security home users with broadband connections are taking to protect their computers from would-be infiltrators. Botnets are used to send spam and phishing email as well as to launch distributed denial-of-service (DDoS) attacks. -http://news.com.com/2102-7355_3-5956143.html?tag=st.util.print[Editor's Note (Grefer): Home user with broadband connections should install a router, such as the Linksys BEFSR41, between their DSL/cable modem and their computer/network, and to have a personal firewall software running on each computer. Antivirus software and anti-spyware products (such as Spybot Search & Destroy, round out the baseline setup. ]===end===

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/